Social Engineering Wire Transfer Scams Affecting U.S. Companies

April 7, 2016

Companies that send money by wire transfer must be aware of scams

Businesses that wire-transfer money to vendor or corporate bank accounts or on behalf of clients and customers should be aware of scams impacting even the best-managed companies. These wire-transfer scams are intentionally misleading unsuspecting employees into sending money or diverting payments to fraudsters who are impersonating vendors, clients, customers, and even senior executives or business owners.

Identifying Risks and Frauds

Commonly referred to as social engineering scams, these frauds trick employees with fake information received by email, text, instant message, telephone calls, or other electronic communications. The information and request to transfer funds will appear to be legitimate, but will have actually been sent by imposters intending to steal the company’s money.

Here are some typical scams and strategies to avoid them:

Business Email Compromise

This popular scam begins with a fraudulent email sent from someone pretending to be the company’s vendor, customer, or client — or someone posing as an owner, senior executive, or employee. The email will request a transfer of funds and will trick the company employee into wiring funds to a specific bank account under the control of the fraudster.

The Purported Vendor Scheme

In scams involving purported vendors, the criminal assumes the identity of a company vendor and uses an email that appears to be legitimate — often from a compromised email account or by using a similar but slightly altered domain name. The email will be sent to an employee who the fraudster knows is in a position to transfer money. The email identifies themselves as a valid vendor the company partners with, and advises the employee that they have changed bank accounts and to send the next few payments to the new bank. The email will look authentic and may include the vendor’s logo or an attached letter with the vendor’s letterhead. In cases where the perpetrator may have previously breached the company’s computer network, the email may even point to a few valid transactions between the company and vendor. The employee, without authenticating or validating the request, will proceed with wire transferring the money to the requested bank. As soon as the money is received by the new bank, the funds are quickly transferred out to an overseas bank well before the company realizes they have been scammed, which usually occurs when the real vendor begins asking for the overdue payment.

The Purported Business Owner/Sr. Executive Scheme

In this type of scam, the perpetrators will identify themselves within an email as the company owner or senior executive, and will state that they need a transfer made to the bank account identified in the email as soon as possible — common reasons include “to fund a recent acquisition” or for “tax purposes.” The email will target an employee, or even another senior executive, who is in a position to transfer money. The email will have a sense of urgency to it. In some cases, the email will state that there will be a follow up call shortly from an attorney who will provide all of the transaction details and banking information. Shortly thereafter, the call will come in to the employee from the purported attorney. The employee will proceed to wire transfer the money to the requested bank without authenticating the request. The money is then quickly transferred by the fraudster to an overseas bank well before the company realizes they have been scammed.

As these types of scams evolve and become more complex, companies should make it a priority to include fraud prevention as a part of their regular business practice processes, utilizing authentication practices, third-party testing when possible, and following all applicable cyber security standards.

Avoiding and Managing the Risks

When it comes to avoiding false pretense and social engineering scams, the best defense is employee awareness. The weakest link in the security chain is the employee who accepts a scenario at face value and doesn’t check its legitimacy. That’s why it is imperative to provide anti-fraud training that includes educating employees on how to recognize and prevent these types of scams.

Train employees on how to recognize and prevent false pretense/social engineering scams or attacks

Provide employees with information about recent scam tactics

Teach employees to never click on embedded links in suspicious or “out of the ordinary” emails

These links could attach malware that will steal information to be used by the criminal to execute the scheme, or to infect company computer systems

Instruct employees (especially those in a position to transfer funds) to never change vendor account information without verifying the change with a telephone call back to the vendor

Make sure the call back number used is a number already on file and don’t use a number provided within the change request to make the call back

Be wary of last minute changes in business practices

Business owners should stress to their employees that they will never deviate from normal transfer protocol by calling or emailing an employee with an urgent request to transfer funds outside of documented procedures

Have a written policy outlining what is considered confidential, sensitive or proprietary information that should never be released without approval or authorization

Validate funds transfer and payment requests from vendors and clients with a “call back” procedure to an individual authorized to make such requests and to a previously established number

Validate all internal employee requests to transfer funds

Limit wire-transfer authority to specific employees and require next level supervisor sign off on any changes to vendor and client information and for all “internally” requested wire transfers

Be suspicious when someone refuses to provide contact information

Never let the urgency of the message, intimidation or high-pressure tactics influence your careful review and assessment

Develop reporting and tracking programs that document attempts of social engineering/false pretense fraud

Review your intrusion detection system (IDS) rules to flag emails with extensions that are similar to your company’s email

Identify which employees have access to bank account information, or have authority to make payments or transfer funds — they are many times a primary target

Consult with computer safety and information technology experts, and

Use cyber security software and keep it up to date

Secure Wi-Fi networks and use mobile device security procedures

Use 2 factor authentication to make it difficult for hackers to enter business computer platform(s)

Conduct 3rd party penetration testing to monitor the success of your prevention techniques

Randomly test employees with company created

fictitious emails and/or phony phone calls

Reprinted with permission from The Hanover Insurance Group. Brunswick Companies is an independent insurance agency representing only A Rated carriers. We value our carriers’ investments in research and proudly share their market insights.